When the user opens the malicious Electrum wallet, the app asks the user for a two-factor authentication (2FA) code. This is a red flag, as these 2FA codes are only requested before sending funds, and not at wallet startup.

The problem here is that Electrum servers are allowed to trigger popups with custom text inside users’ wallets.

Initial attacks were more effective and seemed to have tricked more users because than latter attacks. This is because the Electrum wallet rendered these server messages as rich-formatted texts, making the popups look more authentic and providing a ready and clickable link to users.

Image: SoberNight

After receiving news of attacks, the Electrum team responded by silently updating the Electrum wallet app, so these messages don’t render as rich HTML text anymore.

Image: SoberNight

“We did not publicly disclose this [attack] until now, as around the time of the 3.3.2 release, the attacker stopped,” said SomberNight, a developer part of the Electrum wallet team. “However they now started the attack again.”

Not all users who received these new errors didn’t find the mysterious popup with mangled text fishy. Some users were more inconvenienced than alerted. These users manually copy-pasted the text link shown inside the popup into their browser, and then downloaded and installed the tainted Electrum wallet update.

The attack came to a halt a few hours ago when GitHub admins removed the repository containing the malicious wallet version.

As stated before, new attacks are expected to get underway, with possibly a new download link. But the issue here remains the attacker’s malicious servers.

Must read

Devs are currently looking into replacing the ability to send customized error messages with error codes, which the Electrum wallet would then decode on the client-side and show a preset message instead.

SomberNight says Electrum devs have currently identified at least 33 malicious Electrum servers that have been added to their network, but the number appears to be around 40-50. It is unclear what devs intend to do in regards to these servers at the time being.